1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-07-29 19:17:45 +00:00

Set up restic on all hosts

This commit is contained in:
RGBCube 2024-05-27 13:38:44 +03:00
parent f5da41b495
commit fefb810d97
Signed by: RGBCube
SSH key fingerprint: SHA256:CzqbPcfwt+GxFYNnFVCqoN5Itn4YFrshg1TrnACpA5M
15 changed files with 100 additions and 82 deletions

View file

@ -15,6 +15,12 @@
openssh.authorizedKeys.keys = [ keys.enka ];
hashedPasswordFile = config.secrets.rgbPassword.path;
};
backup = normalUser {
description = "Backup";
openssh.authorizedKeys.keys = keys.all;
hashedPasswordFile = config.secrets.rgbPassword.path;
};
};
services.openssh = {

View file

@ -24,6 +24,10 @@ in systemConfiguration {
}];
};
services.restic.backups = genAttrs config.resticHosts (_: {
paths = [ "/var/lib/gitea-runner" "/var/lib/forgejo" ];
});
users.groups.gitea-runner = {};
users.users.gitea-runner = systemUser {
extraGroups = [ "docker" ];

View file

@ -24,6 +24,10 @@ in systemConfiguration {
}];
};
services.restic.backups = genAttrs config.resticHosts (_: {
paths = [ "/var/lib/grafana" ];
});
systemd.services.grafana = {
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];

View file

@ -59,6 +59,10 @@ in serverSystemConfiguration {
];
};
services.restic.backups = genAttrs config.resticHosts (_: {
paths = [ "/var/lib/matrix-synapse" "/var/lib/matrix-sliding-sync" ];
});
services.matrix-synapse = enabled {
withJemalloc = true;

View file

@ -32,6 +32,10 @@ in systemConfiguration {
}];
};
services.restic.backups = genAttrs config.resticHosts (_: {
paths = [ "/var/lib/nextcloud" ];
});
systemd.services.nextcloud-setup = {
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];

View file

@ -1,4 +1,4 @@
{ lib, pkgs, ... }: with lib; merge
{ config, lib, pkgs, ... }: with lib; merge
(systemConfiguration {
services.prometheus.exporters.postgres = enabled {
@ -6,6 +6,20 @@
runAsLocalSuperUser = true;
};
services.restic.backups = genAttrs config.resticHosts (_: {
paths = [ "/tmp/postgresql-dump.sql.gz" ];
backupPrepareCommand = ''
${config.services.postgresql.package}/bin/pg_dumpall --clean \
| ${lib.getExe pkgs.gzip} --rsyncable \
> /tmp/postgresql-dump.sql.gz
'';
backupCleanupCommand = ''
rm /tmp/postgresql-dump.sql.gz
'';
});
services.postgresql = enabled {
package = pkgs.postgresql_14;

View file

@ -1,44 +0,0 @@
{ config, lib, pkgs, ... }: with lib;
systemConfiguration {
secrets.resticPassword.file = ./password.age;
services.restic.backups.disk = {
repository = "sftp:backup@disk:${config.networking.hostName}-backup";
passwordFile = config.secrets.resticPassword.path;
initialize = true;
pruneOpts = [
"--keep-daily unlimited"
"--keep-weekly unlimited"
"--keep-monthly 6"
"--keep-yearly 12"
];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
paths = [
"/tmp/postgresql-dump.sql.gz"
] ++ map (dir: "/var/lib/${dir}") [
"forgejo"
"gitea-runner"
"grafana"
"matrix-sliding-sync"
"matrix-synapse"
"nextcloud"
];
backupPrepareCommand = ''
${config.services.postgresql.package}/bin/pg_dumpall --clean \
| ${lib.getExe pkgs.gzip} --rsyncable \
> /tmp/postgresql-dump.sql.gz
'';
backupCleanupCommand = ''
rm /tmp/postgresql-dump.sql.gz
'';
};
}

View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw JhqOkh+PwYHVBthp3sK8ObXpilu/Fn8sDelDyk9ShkI
Q93HHN68Sq3g+dvPLi/uw/w6Uzsqi39rPwV8hitl1dM
-> ssh-ed25519 CzqbPQ R+z/ARbQuV0B4fZ/f/4Z7LQCofg0VbagNymI2VkRv38
/WEmH+UdUQ3u3IACisaYIhJ0u8fiJP/hjPd6UkN5c8k
-> ssh-ed25519 f5VzMA FrgY7EJzi5ZtdxA8bIZZG5Q1L7Abrx0wWyVKOGreRgU
OWTnpJl9Yt14H9tzLxFxZqksADe4fAESWQ2ebZt/vMg
--- jjnpTS1CXY89cYNu90SL5kVJ8ddo7Twabb9TWIyaYMw
}©<><>="±T/y¶Ø:߈Œ¾l‡;/°èõ¸[„jÃÐe@¸šÉe²³¬`

View file

@ -18,7 +18,7 @@
backup = normalUser {
description = "Backup";
openssh.authorizedKeys.keys = [ keys.cube keys.enka ];
openssh.authorizedKeys.keys = keys.all;
hashedPasswordFile = config.secrets.floppyPassword.path;
};
};

View file

@ -13,6 +13,10 @@ in systemConfiguration {
listenAddress = "[::]";
};
services.restic.backups = genAttrs config.resticHosts (_: {
paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
});
mailserver = enabled {
fqdn = mkDefault fqdn;

View file

@ -15,6 +15,12 @@
openssh.authorizedKeys.keys = [ keys.enka ];
hashedPasswordFile = config.secrets.sevenPassword.path;
};
backup = normalUser {
description = "Backup";
openssh.authorizedKeys.keys = keys.all;
hashedPasswordFile = config.secrets.sevenPassword.path;
};
};
services.openssh.hostKeys = [{